Services should listen on allowed ports only - Microsoft recommendation
Hi.
Microsoft Defender for Cloud has the following recommendations for the containers and the overall security score is affected.
What 1Password best practices would be?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hi @Valy ,
Thanks for reaching out. About the three recommendations you have received -
Service should listen on allowed ports only: The only networking traffic that the SCIM bridge performs is through port 443. As long as communication through this port is not blocked or restricted based on IP, and access to the SCIM bridge endpoints on the cluster is also not blocked, then enabling these features should not cause degraded performance on the bridge.
Immutable (read-only) root file system should be enforced for containers: This being categorized under medium risk level however safe to ignore. Both
op-scim
andredis
containers require writing to the file system but are not root. Redis needs to write to it's cache, op-scim needs to be capable of having a scimsession file installed on it post-deployment in certain configurations that we must support (even though this doesn't apply to your specific deployment method), so requires write access. But neither container runs it's process as root. Both are high-number non-root users.
This largely protects against mis-configurations by employees who are actively deploying resources in the cluster. Preventing the containers from writing to their respective file systems would break them.Container images should be deployed from trusted registries only : This warning suggests preventing deploying from images that are not from a trusted registry; this would prevent deployment of an arbitrary container image. Even without enacting this policy, an attacker would need your Azure credentials in order to deploy anything to your cluster. This warning be mitigated by adding Docker Hub Container Registry as a trusted registry.
1